1. Field of the Invention
The present invention relates to detecting a kernel-mode rootkit that hooks the Windows System Service Dispatch Table.
2. Description of the Related Art
A rootkit is a set of software tools intended to conceal running processes, files or system data, thereby helping an intruder to maintain access to a system whilst avoiding detection. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules. Rootkits need to hide something, whether it is a process, a thread, a file, or a registry entry, etc. from user mode applications and from kernel mode device drivers. To achieve that, Rootkits have to alter the execution path of the file system, the processes, the threads and the registry functions.
One popular technique used by Rootkits device drivers is to hook the file system, the process, and the registry query functions inside the System Service Dispatch Table (SSDT) by replacing the functions pointers inside the SSDT table with new pointers that point to their own functions. This change of the execution path would affect all Nt/Zw function calls made by user mode applications and all Zw function calls made by kernel mode device drivers.
A number of techniques for detecting rootkits and protecting computer systems from rootkits have arisen. However, as implemented, these techniques only start protecting the computer system after the operating system has been loaded. Rootkits, or other bad software (malware) can run before the detection and protection software is loaded to memory and allowed to execute. This may cause a problem in that the detection and protection software may miss the presence of the rootkit or to be affected or modified by the rootkit.
Another problem arises when detection and protection software malfunctions (such as due to a bug in the software) and blocks the ability of the computer system to access the Internet. Typically, such malfunctions are corrected by downloading an update or patch to the software over the Internet. However, if the malfunction itself prevents the computer system from accessing the Internet, it becomes very difficult for the typical update mechanism to download an update or patch that will resolve the bug causing the failure to access the Internet. Such a bug would also prevent the user of the computer system from manually getting an update website to download a patch to resolve the issue.
A need arises for a technique by which malware detection and protection software can detect malware, such as rootkits, before the operating system has been loaded and which provides the capability to patch malfunctions that block the ability of the computer system to access the Internet.